Skip to content
FortaRisks
Back to the glossaryThreat intelligence

CVE

A CVE (Common Vulnerabilities and Exposures) is the public, unique identifier assigned to a known security vulnerability. The CVE system, maintained by MITRE and supported by CISA, gives each flaw a common name (for example CVE-2024-3094) so that everyone refers to the same thing.

Updated on July 2, 2026

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It is a public referencing system that assigns a unique identifier to each publicly disclosed security vulnerability, in the form CVE-year-number. The program is coordinated by MITRE, with support from CISA, and relies on a network of organizations authorized to issue identifiers.

The goal is simple but fundamental: give flaws a common name. Without it, the same defect would be described differently by every vendor, scanner and bulletin, making coordination impossible.

Why it matters for your organization

The CVE is the basic building block of all vulnerability management. Your scanners, your inventory, your threat-intelligence feeds and your suppliers' bulletins all speak the CVE language. That is what lets you tie an alert to a specific asset in your estate.

Volume is the real challenge: the number of CVEs published grows every year. Without a prioritization method, teams drown in an unmanageable queue and patch at random rather than by actual risk.

How to use CVEs effectively

  • Up-to-date inventory: know which components and versions you run (an SBOM helps a lot).
  • Correlation: automatically link published CVEs to your exposed assets.
  • Risk-based prioritization: combine CVSS, EPSS and presence in the CISA KEV catalog.
  • Reaction window: prioritize actively exploited flaws, where time matters most.

Where organizations most often fall short

The most common mistake is driving remediation by CVSS score alone, patching every "critical" flaw first without checking whether it is actually exploited. The result: effort scattered across theoretical vulnerabilities while lower-scored but actively exploited flaws stay open.

Frequently asked questions

What is the difference between a CVE and a CVSS score?

The CVE is the vulnerability's identity: a unique number and a description. The CVSS is a severity rating, from 0 to 10, assigned to that vulnerability. A CVE can also carry an EPSS score, which estimates the likelihood of exploitation. The CVE tells you what, while CVSS and EPSS help decide where to start.

Do all CVEs need to be patched immediately?

No, and trying to fix everything at once is the surest way to prioritize nothing. Tens of thousands of CVEs are published each year, but only a minority are actually exploited. You prioritize by combining severity (CVSS), likelihood of exploitation (EPSS) and confirmed exploitation (the CISA KEV catalog).

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.